Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency homeassistant to v2023.12.3 [SECURITY] #2

Merged
merged 1 commit into from
Jul 25, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 25, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
homeassistant ==2023.8.0 -> ==2023.12.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-41893

Part of the Cure53 security audit of Home Assistant.

The audit team’s analyses confirmed that the redirect_uri and client_id are alterable when logging in. Consequently, the code parameter utilized to fetch the access_token post-authentication will be sent to the URL specified in the aforementioned parameters.

Since an arbitrary URL is permitted and homeassistant.local represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s access_token, the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions.

To achieve this compromise attempt, the attacker must send a link with a redirect_uri that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via the said link, the attacker would obtain code sent to the specified URL in redirect_uri, which can then be leveraged to fetch an access_token.

An attacker could increase the efficacy of this strategy by registering a nearly identical domain to homeassistant.local, which at first glance may appear legitimate and thereby obfuscate any malicious intentions.

Nonetheless, owing to the requirements for victim interaction and Home Assistant instance exposure to the Internet, this severity rating was consequently downgraded to Low.

CVE-2023-50715

Summary

The login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network.

Details

Starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when:

  • The request is not authenticated and
  • The request originated locally, meaning on the Home Assistant host local subnet or any other private subnet (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fd00::/8, ::ffff:10.0.0.0/104, ::ffff:172.16.0.0/108, ::ffff:192.168.0.0/112)

The rationale behind this is to make the login more user-friendly (see release blog post) and an experience better aligned with other applications that have multiple user-profiles.

However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it.

PoC

  1. Place a Home Assistant instance on a private subnet, i.e., 192.168.1.0/24.
  2. Create a few users, let's say, three.
  3. From any (or another) private subnet on the LAN, like 192.168.2.0/24, open an incognito browser window (to ensure that the browser has no cookies from Home Assistant and therefore is demonstrably unauthenticated) and navigate to the Home Assistant URL.
  4. The login page will display all three users, including their profile photo.

Impact

The following CVSS string could be shaped to describe the overall impact of this issue:
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

As seen, the Exploitability metrics are high, and the Impact metrics are low. This is fitting because the problem does not constitute a critical one, but at the same time, it is trivial to exploit. Still, since the mitigation can be so easily implemented in code to eliminate a typical case of information disclosure, it would certainly be worth pursuing.


Release Notes

home-assistant/core (homeassistant)

v2023.12.3

Compare Source

v2023.12.2

Compare Source

v2023.12.1

Compare Source

v2023.12.0

Compare Source

https://www.home-assistant.io/blog/2023/12/06/release-202312/

v2023.11.3

Compare Source

v2023.11.2

Compare Source

v2023.11.1

Compare Source

v2023.11.0

Compare Source

https://www.home-assistant.io/blog/2023/11/01/release-202311/

v2023.10.5

Compare Source

v2023.10.4

Compare Source

  • Fix Spotify media position update value ([@​Archomeda] - [#​100044]) ([spotify docs])
  • Fix error handling on subscribe when mqtt is not initialized (@​jbouwh - [#​101832]) (mqtt docs)
  • Bump aioesphomeapi to 17.1.4 (@​bdraco - [#​101897]) (esphome docs) (dependency)
  • Bump aioesphomeapi to 17.1.5 (@​bdraco - [#​101916]) (esphome docs) (

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@DonRobo DonRobo merged commit 99c71d4 into main Jul 25, 2024
3 checks passed
@renovate renovate bot deleted the renovate/pypi-homeassistant-vulnerability branch July 25, 2024 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant